VR HMDs are really verbose at calling home. for video viewing local HereSphere + stashvr can still be used simply by allowing traffic between the LAN IPs (don't even need DNS) but to enable cloud streaming from service such as SLR while blocking everything else here's one approach:
- HMD is connecting to WiFi AP that gives it a static DHCP lease for 10.20.0.30
- opnsense firewall used as gateway router at 10.20.0.1
- pi.hole DNS running at 10.20.0.2
/admin/groups: add slr group
/admin/groups/clients: add client IP to slr group
/admin/groups/domains: add rules for slr group
Regex allow: .*(deovr.com|vrvideo.cloud|sexlikereal.com)$
Regex deny: .*
test by adding a PC to the group, host google.com 10.20.0.2 should resolve to 0.0.0.0
/ui/firewall/alias: create two aliases (don't forget to hit Apply)
HETZNER_asn: BGP ASN 24940 "s3for.me + vrvideo.cloud"
SLR_hosts: Host(s) deovr.com geo.cdn.vrvideo.cloud sexlikereal.com
/firewall_rules.php?if=opt1: add rules
rule src spt dst dport
ALLOW 10.20.0.30 * pi.hole 53 (DNS) (protocol:udp to enable dports)
ALLOW 10.20.0.30 * SLR_hosts,
.. HETZNER_asn
DENY 10.20.0.30 * *
AS24940 is pretty big and this could be tightened further but there's limits to my paranoia